<h2>Why is this an issue?</h2>
<p>Constructing templates by dynamically inserting strings coming from third-party sources is an anti-pattern which creates code that is brittle,
difficult to read, and challenging to debug.</p>
<p>Moreover, in the long run, this practice progressively increases the likelihood of introducing <strong>Server-Side Template Injections
(SSTI)</strong>, sometimes in complex ways that are hard to detect.<br> An SSTI is the insertion of third-party data (like user data) within
templates, which enables attackers to execute arbitrary commands on the underlying operating system.</p>
<h2>How to fix it</h2>
<p>It is recommended to standardize on safe template-building practices.<br> Separate logic from presentation by passing dynamic data to templates
through a secure context or data-binding mechanism, rather than building the template string itself.</p>
<h3>Code examples</h3>
<h4>Noncompliant code example</h4>
<pre data-diff-id="1" data-diff-type="noncompliant">
const pug = require('pug');

const pugTemplate = `
doctype html
html
  head
    title=${pageTitle}
  body
    ${userInput}
`;

const compiledFunction = pug.compile(pugTemplate); // Sensitive

compiledFunction();
</pre>
<h2>Compliant Solution</h2>
<pre data-diff-id="1" data-diff-type="compliant">
const pug = require('pug');

const pugTemplate = `
doctype html
html
  head
    title= pageTitle
  body
    h1= mainHeading
    p.message= message
`;

const compiledFunction = pug.compile(pugTemplate);

const templateData = {
  pageTitle: 'Safe Template Example',
  mainHeading: 'Welcome!',
  message: 'This content is passed securely as data to the template.'
};
compiledFunction(templateData);
</pre>
<h2>Resources</h2>
<h3>Standards</h3>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A03_2021-Injection/">Top 10 2021 Category A3 - Injection</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A1_2017-Injection">Top 10 2017 Category A1 - Injection</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/20">CWE-20 - Improper Input Validation</a> </li>
</ul>
